Evidence left behind shows leaker spoke Russian and had affinity for Soviet era.

Share this story

We still don't know who he is or whether he works for the Russian government, but one thing is for sure: Guccifer 2.0—the nom de guerre of the person claiming he hacked the Democratic National Committee and published hundreds of pages that appeared to prove it—left behind fingerprints implicating a Russian-speaking person with a nostalgia for the country's lost Soviet era.

Further Reading

Exhibit A in the case is this document created and later edited in the ubiquitous Microsoft Word format. Metadata left inside the file shows it was last edited by someone using the computer name "Феликс Эдмундович." That means the computer was configured to use the Russian language and that it was connected to a Russian-language keyboard. More intriguing still, "Феликс Эдмундович" is the colloquial name that translates to Felix Dzerzhinsky, the 20th Century Russian statesman who is best known for founding the Soviet secret police. (The metadata also shows that the purported DNC strategy memo was originally created by someone named Warren Flood, which happens to be the name of a LinkedIn user claiming to provide strategy and data analytics services to Democratic candidates.)

Exhibit B is this opposition research document on Donald Trump, the presumptive Republican presidential nominee. Exhibit B is also written in Word. Several of the Web links in it are broken and contain the error message "Error! Hyperlink reference not valid." But in a PDF-formatted copy of the same document published by Gawker a few hours before Guccifer 2.0's post went live, the error messages with roughly the same meaning appear in Russian.

Enlarge/ The image on the left, with an error message in Russian, shows the document as it appeared on Gawker. The image on the right shows it as it was published directly by Guccifer 2.0.

The most likely explanation is that the Russian error messages are an artifact left behind when the leaker converted the Word document into a PDF. That kind of conversion would be expected if the leaker's PC was set up to use Russian.

The other piece of evidence is more circumstantial, but it still strengthens the case that the person publishing the documents intentionally or unintentionally left Russian—or at least Eastern European—fingerprints on the leak. It's the use of ")))" in the accompanying blog post. That's a common way people in Eastern Europe and Russia denote a smiley in text. The grammar in the post strongly suggests that English is not the writer's native language, although in fairness, there's nothing indicating that the writer's mother tongue is Russian or even Eastern European.

All three pieces of evidence were teased out of the documents and noted on Twitter by an independent security researcher who goes by the handle PwnAllTheThings. The theory is also consistent with everything previously published by CrowdStrike, the security firm the DNC hired to investigate its suspicions that its servers had been breached. CrowdStrike researchers said they quickly determined that the servers had been infiltrated by two separate Russian hacking groups. In response to Wednesday's leak, CrowdStrike raised the possibility that the leak was part of a Russian Intelligence disinformation campaign. Company officials declined to comment on Thursday for this post.

"There's also the fact that the hacker is publishing documents at all, which rules out lots of nation-states," the PwnAllTheThings researcher told Ars in a private message. "China, for example, would happily spy on the DNC to try and get the Trump oppo [opposition] research to support their foreign policy objectives, but they wouldn't publish the documents to influence the election."

A pretty big deal

"I think his analysis is very believable when you look at what CrowdStrike is saying and when you look at what other people are not saying," Aitel told Ars. "You don't have the FBI or DHS coming out and saying: 'Hey we don't think it's Russia.' If it is Russia, a nation state, it's a pretty big deal. Otherwise the FBI would say: 'We're conducting an investigation.' But they're not saying that."

Of course, it's still possible that the Russian fingerprints were left intentionally by someone who has no connection to Russia, or by a Russian-speaking person with no connection to the Russian government, or any number of other scenarios. The abundance of plausible competing theories underscores just how hard it is to accurately attribute attacks online and how perilous it is to reach summary conclusions.

Readers are once again advised to keep an open mind, and that means recognizing that Wednesday's leak by Guccifer 2.0 is merely consistent with what CrowdStrike has reported. On its own, the leak neither impeaches the veracity of the report nor does it prove it. If the government of Russia or any other country is using hacking in an attempt to influence the outcome of a US presidential election, that's an extremely serious development. But given the house of mirrors surrounding this entire episode, the evidence should be thoroughly investigated before anyone reaches that conclusion.

Promoted Comments

If the government of Russia or any other country is using hacking in an attempt to influence the outcome of a US presidential election, that's an extremely serious development.

I don't buy the nation state espionage angle. If this was done by an actual Russian agent, I don't think we'd see a data dump to brag about it.

The dump is because the Russians got caught at it and were called out by Crowdstrike. The information in the dump isn't damaging to the Russians, so it costs them nothing to dump it, but being associated with a hack on the US political candidates is potentially embarrassing. By concocting the fiction that the lone hacker "Guccifer 2.0" was the culprit backed up by having "him" release the dump, we now spend our time arguing over who Guccifer 2.0 really is instead of accepting Crowdstrike's report at face value. By the time any consensus is reached, the media has moved on to the next story. SOP for the Kremlin.

The whole language and colloquial smiley issue seems too obvious to me, I think if I was going to do some cyber skullduggery I might choose to research some such cultural stuff and insert them in my works.

The whole language and colloquial smiley issue seems too obvious to me, I think if I was going to do some cyber skullduggery I might choose to research some such cultural stuff and insert them in my works.

But maybe that's what they want us to think!

They shot down MH17, Putin and his cronies are not known for being subtle.

Readers are once again advised to keep an open mind, and that means recognizing that Wednesday's leak by Guccifer 2.0 is merely consistent with what CrowdStrike has reported. On its own, the leak neither impeaches the veracity of the report nor does it prove it. If the government of Russia or any other country is using hacking in an attempt to influence the outcome of a US presidential election, that's an extremely serious development. But given the house of mirrors surrounding this entire episode, the evidence should be thoroughly investigated before anyone reaches that conclusion.

You want us to be sensible and reasonable about politics? You're no fun...

The whole language and colloquial smiley issue seems too obvious to me, I think if I was going to do some cyber skullduggery I might choose to research some such cultural stuff and insert them in my works.

But maybe that's what they want us to think!

They shot down MH17, Putin and his cronies are not known for being subtle.

Pretty much. Their modus operandi is to toss out an audacious lie (little green men in Crimea, Russian Army soldiers on vacation in Ukraine, the Ukrainians shot down MH17 which was actually MH370, etc.) then let Putin's troll army and state media (including RT) go to work repeating and establishing the lie, while Western media and governments waste a lot of time trying to disprove it. By the time they have the evidence to do so, it's too late to matter, and the Kremlin moves on to the next audacious lie.

I wonder if these were Google docs whether it would have been less vulnerable. This article doesn't describe the access method this gent used to access the system or whether it was a central storage device or what. These details matter so anyone?

I wonder if these were Google docs whether it would have been less vulnerable. This article doesn't describe the access method this gent used to access the system or whether it was a central storage device or what. These details matter so anyone?

I don't think that info is public yet. At this point all I've seen that we know for certain is that two hacks were going on simultaneously with apparently no coordination between them, and they each exfiltrated some amount of data. Following that news, some data was presented to the press by an anonymous hacker who claims to have done it all himself.

The ))) syntax may have started in Russia (or at least a former Soviet state) from chat programs/websites that filtered ":" to prevent people from exploiting bugs and design flaws in said chat software by causing it to load a linked URL, such as one that contained JavaScript*.

If you want to make smileys but lack access to the colon, a logical extension would be to double/triple up on the parenthesis. Once one extremely popular chat site has begun using this kind of smiley syntax, it doesn't take long to spread to other communities in the same region, even on sites without the colon exclusion.

Eventually, using the ))) syntax became a tradition and people have long since stopped remembering the necessity that created it in the first place.

Context: I used to be hugely into web chats in the late nineties and early aughties. These chat sites were often rife with security bugs, including account impersonation bugs. The site owners would tackle security bugs in the laziest way possible. As most chat sites already had a method to deny curse words, they just added the ":" to the list of unacceptable substrings (often you couldn't type "Document" either).

Specifically, it was a Hungarian chat site I used to frequent that I first saw the colon being explicitly blocked. The chat software they used wasn't created in-house, it was something they bought/took from somewhere else.

*Some chat sites also just wanted to ban all hyperlinks because hyperlinks would make users aware of the outside world or they'd be used to serve malware.

I wonder if these were Google docs whether it would have been less vulnerable. This article doesn't describe the access method this gent used to access the system or whether it was a central storage device or what. These details matter so anyone?

It'd only be as secure as the system used to access it.

If it is a targeted attack and they can hop onto his system and steal the offline word doc, then they'd probably be able to hop onto his system and download it when the victim accesses google docs.

If the government of Russia or any other country is using hacking in an attempt to influence the outcome of a US presidential election, that's an extremely serious development.

Is it as serious as wiretapping the phone of the leader of an allied country?

The West has been attempting to influence the outcomes of elections and revolutions around the world for so long, we seemingly consider it a prerogative.

I'm not condoning the hack, and I think Vladimir Putin is the most dangerous man in the world at this time, but given what we know the NSA has been up to, this is minor league spy games.

IMHO The most dangerous man in the world is the most powerful man in the world, and that's not Putin.

These clues give me the impression that the hacker is kind of unprofessional.It is still possible that the Russian Government is not connected to this individual. Also, Independent hackers tend to have a ego problem, they love to brag and would dislike misattributions.

On the other hand, I always assumed that the US and Russia governments were still spying each other for whatever reason. Heck even Obama was spying Merkel for no good reason.

Let's be frank here - it's WAY better to influence an election now, then hold shit over a presidents head as blackmail to keep them from being impeached (if you want to look at a few extreme scenarios, i guess).

If the government of Russia or any other country is using hacking in an attempt to influence the outcome of a US presidential election, that's an extremely serious development.

I don't buy the nation state espionage angle. If this was done by an actual Russian agent, I don't think we'd see a data dump to brag about it.

The dump is because the Russians got caught at it and were called out by Crowdstrike. The information in the dump isn't damaging to the Russians, so it costs them nothing to dump it, but being associated with a hack on the US political candidates is potentially embarrassing. By concocting the fiction that the lone hacker "Guccifer 2.0" was the culprit backed up by having "him" release the dump, we now spend our time arguing over who Guccifer 2.0 really is instead of accepting Crowdstrike's report at face value. By the time any consensus is reached, the media has moved on to the next story. SOP for the Kremlin.

If the government of Russia or any other country is using hacking in an attempt to influence the outcome of a US presidential election, that's an extremely serious development.

I don't buy the nation state espionage angle. If this was done by an actual Russian agent, I don't think we'd see a data dump to brag about it.

The dump is because the Russians got caught at it and were called out by Crowdstrike. The information in the dump isn't damaging to the Russians, so it costs them nothing to dump it. By concocting the fiction that the lone hacker "Guccifer 2.0" was the culprit backed up by having "him" release the dump, we now spend our time arguing over who Guccifer 2.0 really is instead of accepting Crowdstrike's report at face value. By the time any consensus is reached, the media has moved on to the next story. SOP for the Kremlin.

I had read (unverified, I saw it on reddit =/ ) that a much larger dump form this got handed to wikileaks.

I mean, honestly, Guccifer was a Slavic hacker, and not connected to any nation states. He definitely wasn't working for Russia. This article confuses me because it comes to the conclusion that the CrowdStrike analysis is likely correct because they found evidence the hacker/hacker group was Russian.

Ok?

I mean, the hacker is calling himself Guccifer 2.0. I just assumed by default the guy was Slavic as well, assuming it isn't just misdirection.

I mean, it just seems odd to me that the "likely conclusion" but "keep an open mind" to this event is that CrowdStrike is right just because the hacker is Russian? I mean, if it is determined other hackers for other events are found to likely be Americans, are we to assume they are likely Pro-US hacking groups?

Anyway, the MAIN reason I am skeptical here is that the Democrat party, over the last 24 hrs, seems to be trying to drive some narrative, that this was not a big deal. First, the head of the DNC, Debbie Wasserman-Shultz came out and stated that the only thing hacked was the Trump opp. research file, and that was it, and that this was linked to some pro-Russian hacking groups. I can understand the misunderstanding here as many people often think if the hacker is Russian they are instantly somehow hacking for Russia, which is not true, but it was pushed as this espionage thing, that it was this big strong Russian government, and that is the only reason why stuff was compromised. She even came outright and told everyone that the donor files and personal info was safe. Then, the hacker, Guccifer 2.0, came out and said they were full of crap and lying and then dumped a bunch of financial files, which having gone through them even include personal contact information to a lot of these donors. Of course, the DNC has quickly gotten quiet on trying to say otherwise.

To me, it just seems like if this were somehow a pro-Russian hacking group they wouldn't just dump the info like this. That is why I don't get this article that seems so easily to come to some almost conclusion that, "Since the hacker appears to be Russian, looks like CrowdStrike was right, it was a pro-Russian group!" I get that from someone from the DNC to think that, not understanding the hacking world, but it is an odd conclusion, imo, for an ARS author to come use that as evidence that the initial report was likely right.

If the government of Russia or any other country is using hacking in an attempt to influence the outcome of a US presidential election, that's an extremely serious development.

I don't buy the nation state espionage angle. If this was done by an actual Russian agent, I don't think we'd see a data dump to brag about it.

If Russia wants someone like Trump on their side, the only way they can get it is to put some doubt into who did the hack because they stole files that could be damaging to Trump.

As in something the Russians would want to know about if they want to push his buttons should he be elected.

So I can see a strong incentive on the part of that particular nation/state to muddy the waters here.

OTOH, I'm hardly ruling out the possibility that you're correct in your assessment. But to do what he did, he'd have had to have spoofed or hijacked the IP's from the usual Russian Intel suspects (I always thought they used North Korean IP's to deflect from their stuff?) to have the trail lead back to the Russian government.

But Machiavellian schemes are part and parcel of Russian politics, so without any further proof of who dun it, it's likely to remain muddied waters. And that alone suggests it's the Russian government, since it serves their goals far better than mere bragging rights of one hacker. Who knows?

Maybe the Russians let the hacker do it, while watching over his/her shoulder and got what they wanted, too?

Looks to me that someone wants us to think that the leaker is Russian. Using those russian smiley faces, broken english, metadata inserted into docs, using the name of a former director of Cheka (https://en.wikipedia.org/wiki/Felix_Dzerzhinsky)... all these clues are way too obvious.

The whole language and colloquial smiley issue seems too obvious to me, I think if I was going to do some cyber skullduggery I might choose to research some such cultural stuff and insert them in my works.

But maybe that's what they want us to think!

They shot down MH17, Putin and his cronies are not known for being subtle.

Pretty much. Their modus operandi is to toss out an audacious lie (little green men in Crimea, Russian Army soldiers on vacation in Ukraine, the Ukrainians shot down MH17 which was actually MH370, etc.) then let Putin's troll army and state media (including RT) go to work repeating and establishing the lie, while Western media and governments waste a lot of time trying to disprove it. By the time they have the evidence to do so, it's too late to matter, and the Kremlin moves on to the next audacious lie.

If you keep repeating a lie enough, it becomes the truth.

As in, I do believe that you think you're relaying the truth that Russia shot down the MH17.

As opposed to rebels in Ukraine, who got their hands on the missile system. Either captured from Ukraine, or delivered to them by Russia.

The whole language and colloquial smiley issue seems too obvious to me, I think if I was going to do some cyber skullduggery I might choose to research some such cultural stuff and insert them in my works.

But maybe that's what they want us to think!

They shot down MH17, Putin and his cronies are not known for being subtle.

Pretty much. Their modus operandi is to toss out an audacious lie (little green men in Crimea, Russian Army soldiers on vacation in Ukraine, the Ukrainians shot down MH17 which was actually MH370, etc.) then let Putin's troll army and state media (including RT) go to work repeating and establishing the lie, while Western media and governments waste a lot of time trying to disprove it. By the time they have the evidence to do so, it's too late to matter, and the Kremlin moves on to the next audacious lie.

If you keep repeating a lie enough, it becomes the truth.

As in, I do believe that you think you're relaying the truth that Russia shot down the MH17.

As opposed to rebels in Ukraine, who got their hands on the missile system. Either captured from Ukraine, or delivered to them by Russia.

You really believe it.

Since the rebels in Ukraine had a bunch of Russian military backing (all unofficial and deniable, of course) it might as well have been them.

Looks to me that someone wants us to think that the leaker is Russian. Using those russian smiley faces, broken english, metadata inserted into docs, using the name of a former director of Cheka (https://en.wikipedia.org/wiki/Felix_Dzerzhinsky)... all these clues are way too obvious.

Easter eggs and distractions. Making the fiction comprehensive is difficult and missed clues that weren't scrubbed become more damning when discovered in isolation. By making the fiction just that little bit too obvious they're able to cause the questions to shift from "is he Russian" to "is it someone else trying to pin the blame on the Russians?". Again, the goal for the Kremlin is not to achieve a comprehensive shift of the blame, it's simply to achieve a successful distraction until no one cares any more.

The whole language and colloquial smiley issue seems too obvious to me, I think if I was going to do some cyber skullduggery I might choose to research some such cultural stuff and insert them in my works.

But maybe that's what they want us to think!

They shot down MH17, Putin and his cronies are not known for being subtle.

Pretty much. Their modus operandi is to toss out an audacious lie (little green men in Crimea, Russian Army soldiers on vacation in Ukraine, the Ukrainians shot down MH17 which was actually MH370, etc.) then let Putin's troll army and state media (including RT) go to work repeating and establishing the lie, while Western media and governments waste a lot of time trying to disprove it. By the time they have the evidence to do so, it's too late to matter, and the Kremlin moves on to the next audacious lie.

If you keep repeating a lie enough, it becomes the truth.

As in, I do believe that you think you're relaying the truth that Russia shot down the MH17.

As opposed to rebels in Ukraine, who got their hands on the missile system. Either captured from Ukraine, or delivered to them by Russia.

You really believe it.

I never said the Russians shot down MH17. I said that their lie was intended to establish that the Ukraine shot down MH17. It was probably the Donbass rebels who shot down the airliner, but what is not in doubt is that they did so with a Russian supplied Buk missile system, and given the fact that it was probably "vacationing" Russian soldiers who were actually operating that system, the actual difference between whether responsibility lies on the Donbass rebels or the Russian Army is pretty irrelevant.

Really? If somebody wanted to send a false flag and make people think it was somebody else what would they do...? Maybe use the name of a 20th Century Russian statesman who is best known for founding the Soviet secret police? I mean the only other way they could make it more blatantly obvious would be if they left a business card.

I think someone using a computer named “Феликс Эдмундович” does not implicate this, presumably Russian-speaking person, has a nostalgia for the country's lost Soviet era.

It could be a sense of humor, like a friend of mine had named his gaming computer “door stopper” or another had a computer named “cucumber” – she would then often use “let me jump on my cucumber”. One of my computers is named dr-schlotkin, does this mean I have a nostalgia for fixing noses?

IMHO The most dangerous man in the world is the most powerful man in the world, and that's not Putin.

Putin is the most powerful man in the world.

The U.S. is the most powerful country, sure, but Obama has nowhere near the authority that Putin has.

His presidency will have been from 2009 to 2016, the first few years he spent learning the ropes and verifying his birth certificate, the last year he's a lame duck who has to put up with Donald Trump insulting him on a daily basis. When Putin came to power, Obama sat in the Illinois state senate and Bill Clinton was president. In a few years, when Obama will be giving graduation speeches, opening libraries and promoting his memoirs, Putin will still rule Russia and shape global politics.

Obama had to fight tooth and nails to get a budget plan greenlit. Putin had the constitution changed to give him longer terms and let him appoint senators.

The American president is but the first bureaucrat, if he wants to do something, he has to convince hundreds of other bureaucrats to go along with it, compromising and selling out every step of the way; half the media will fight him on every issue in the battle for public opinion.If Vladimir Putin wants to get something done it's just getting done; the media will sell it to the public for him and the military makes sure the few who don't buy it stay quiet.

And that's why he is the most dangerous man in the world. Russia is still a political and military heavyweight and he's in control.